CYBER RISK 
INDEX (CRI) 


With cyberattacks a constant threat, it's crucial for companies to focus on assessing, detecting, preventing, 
and responding to today's cyber threats. In this iteration of the CRI, performed in 2H'2021, Trend Micro and 
Ponemon Institute conducted research among IT managers across Europe, Asia-Pacific, Latin/South America, 
and North America. These findings are used to create a comprehensive index to assess an organization's cyber 
risk maturity level. Three of four regions showed an elevated risk level, while Asia-Pacific showed a 
moderate risk level, contributing to an overall elevated risk level worldwide. 


Current global cyber risk level: 


Elevated 
Risk 


*The index is based on a numerical scale 


Lower CRI = Higher Risk of -10 to 10, with -10 representing the 
highest level of risk. 


Top risk factors in the 2H'2021 





Operation Risks: 


e My organization's IT security 
function lacks support of security 
in the DevOps environment. 


e My organization's IT security 


function does not strictly enforce 
acts of non-compliance to Top 5 Cyber Threats 


security policies, standard Across World: 
operating procedures, and 1 Ransomware 


external requirements. 2 Phishing and social engineering 
3 Denial of service (DoS) 
4 Botnets 
5 Man-in-the-middle attack 


Top 5 Negative 
Consequences of an Operational 
Attack Across World: Risk 
1 Stolen or damaged equipment Cyber Risk 


2. Cost of outside consultants 
and experts 


3. Customer turnover 
4. Reputation or brand damage Cyber Risk Index 


5. Regulatory actions or lawsuits Elevated Risk 






Top 5 Security Risks in 
Infrastructure Across World: 


( 
9 d R 1 Mobile/remote employees 
f°.) P 2 Cloud computing infrastructure 
I Y N a and providers 
Human Infrastructure 3 Across third-party applications 


Human Capital Risks: Capital Risk Risk 4 Malicious insiders 
aig F 5 Mobile devices such as 
e My organization's IT security smart phones 
leader (CISO) doesn't have 
sufficient authority and 
resources to achieve a 
strong security posture. 









Infrastructure Risks: 


e My organization's IT security 
function lacks the ability to 


Human Capital Risks: locate the physical location of 
business-critical data assets 


e My organization's IT security and applications. 
leader does not report to senior 


leadership (such as the CEO, COO, ° My organization doesn't make 
or CIO). appropriate investments in 


leading-edged security 
technologies such as machine 
learning, automation, 
orchestration, analytics, 
and/or artificial 

intelligence tools. 


Cyber Risk Index 


This index measures the difference between the Cyber Preparedness Index and the Cyber 
Threat Index. In other words, the divide between an organization's current security 
posture and their likelihood of being attacked. 
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Latin/South America has the 
highest overall risk, due to 
less preparedness than the 

Elevated likelihood other three regions. 


of a compromise Elevated risk in detecting new 


threats across all regions 


Breakdown of Cyber Risk Index 
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The Cyber Preparedness Index is at a Overall, all All organizations show an elevated 
moderate risk for North America, organizations are risk associated with the Cyber Threat 
Europe, and Asia-Pacific, but at an elevated Index, with all regions exhibiting 
Latin/South America has concerns over cyber risk. approximately the same level of risk. 


its ability to detect and prevent new 
attacks with an elevated risk level. 


Cyber Preparedness Index Cyber Threat Index 


Lower number, higher risk Higher number, higher risk 


5.14 5.25 5.15 
4.94 


North Latin/South Europe Asia-Pacific All Regions North Latin/South Europe Asia-Pacific All Regions 
America America America America 


Cyber Preparedness Index Ratings Cyber Threat Index Ratings 


7.51 to 10 I Lov Risk o 7.51 to 10 E High Risk 


5.01 to 7.50 Moderate Risk 5.01 to 7.50 |B Elevated Risk 
Range Range 


| 2.51t05.0 Į Elevated Risk | 2.51 to 5.0 Moderate Risk 
O to 2.5 E High Risk O to 2.5 I Low Risk 


Differences Between Regions 





Top 5 cyber threats 


1. Ransomware 

2. Phishing and social engineering 
All Regions 3. Denial of service (DoS) 

4. Botnets 

5. Man-in-the-middle attack 





1. Ransomware 

2. Denial of service (DoS) 

North America 3. Phishing and social engineering 

4. Man-in-the-middle attack 

5. Advanced persistent threats (APT) 


AN 1. Cross-site scripting 
2. Fileless attack 
Latin/South America 3. Denial of service (DoS) 
4. Botnets 


5. Clickjacking 





DELAIN 


1. Ransomware 

2. Phishing and social engineering 

Europe 3. Botnets 

4. Denial of service (DoS) 

5. Man-in-the-middle attack and clickjacking 


If 


1. Phishing and social engineering 
2. Botnets 

Asia-Pacific 3. Fileless attack 

4. Ransomware 

5. Denial of service (DoS) 


I 





Likelihood of a successful cyberattack 


Across the four regions, respondents appear to be concerned they will be 
successfully attacked in the next 12 months. 8 of 10 in North America 
and Europe, 7 of 10 in Asia-Pacific, and 6 of 10 in Latin/South America 
are somewhat to very likely to be compromised in the next 12 months. 
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Key Survey Questions 














Several key survey questions were asked to IT managers to measure important 
aspects of their companies’ cybersecurity posture. Here's a sampling of the survey's 
more revealing questions. 


I North America Į Latin/South America Europe I Asia-Pacific 


My organization makes appropriate investments in leading-edged security 
1) technologies such as machine learning, automation, orchestration, analytics, and/or 
artificial intelligence tools. (Lower number means less prepared on 0-10 point scale) 


4.63 M 
4.40 Maat 
4.99 © 
4.58 


Likelihood of a data 
breach of critical data 
(IP) in next 12 months: 





11% 


likelihood 






With surveyed saying a 
breach of critical data is likely in the 
next 12 months, and a lack of 
preparedness to deal with an attack, 
organizations should rethink their 
current security strategy. 





2) How many separate cyberattacks that infiltrated your 

organization's networks and/or enterprise systems did your 
organization experience over the past 12 months? Below shows 
percentage of those with one or more attacks. 


84% 
87% 
85% 
80% 


Takeaway 





Likelihood of one or more 
successful cyberattacks in 
the next 12 months: 


16% 


likelihood say they are likely 


to be breached in the next 12 months, 
and as such, organizations need to 
build improved breach 
detection capabilities. 





(3) The percentage of organizations who had seven or more separate 
cyberattacks over the past 12 months. 


29% 
36% 
33% 
42% 


Takeaway 























The top four data types at highest risk of loss or theft are: 





The data types at risk 
cited by respondents are critical to a 
R&D Financial Business Company- business' operations and livelihood. 
information information communication confidential 


(email) information 





